1. Field
This disclosure relates generally to separation of duties and, more specifically to techniques for implementing separation of duties using prime numbers.
2. Related Art
Today, security policies of many transactions, e.g., business transactions, require the enforcement of separation of duties (SOD), which in a basic form dictates that multiple tasks contained in a sensitive transaction each be performed by different entities. The main concept of SOD is to distribute the responsibility for a transaction among several different entities such that no single entity controls two or more tasks of the transaction. In this manner, collusion of two or more entities is required to commit deliberate fraud with respect to a transaction. As one example, SOD is employed in handling bank safe deposit boxes in that a bank has required use of two distinct keys to gain access to a safe deposit box. In this case, a first distinct key is maintained by a bank employee and a second distinct key is maintained by a bank customer that has rented the safe deposit box.
As another example, it is common for a company, e.g., a financial institution, to implement policies that prohibit a single employee from preparing and authorizing a check, e.g., an electronic check. In this case, a first employee (e.g., an accounts payable clerk) may prepare the check and a second employee (e.g., a manager) may authorize the check. While SOD is desirable in combating fraud in various transactions, there is no known efficient approach to implement SOD in computer systems that execute transactions. A typical SOD approach has tracked transaction tasks and the entities to which the tasks have been assigned. With this approach, when an entity has tried to perform a task associated with a transaction, a computer system has checked whether the entity has performed other tasks associated with the same transaction. If the entity has not performed other tasks associated with the transaction, the entity has generally been allowed to perform the task (assuming the entity met other qualifications). After the task was performed, the system has recorded the fact that the entity does not have a right to perform other tasks in the same transaction. From the perspectives of computation, storage, and administration, there is a relatively large amount of overhead to implement SOD using traditional approaches.